Netflix has released an open source tool that their engineering team have developed in-house that can find second-order XSS vulnerabilities in web applications. The tool is called Sleepy Puppy, and while it’s a good initiative from Netflix, the auto-detection of ‘Delayed XSS’ is nothing new.

In August 2013, Acunetix announced it’s 9th edition of it’s flagship web vulnerability scanner. Among the new features, Acunetix released a new service called AcuMonitor. AcuMonitor is a free service that is included with Acunetix Vulnerability Scanner that allows the detection of vulnerabilities that do not provide a response to a scanner during testing, therefore, the response from the vulnerability test is delayed.

What’s in a name?

Unfortunately, names don’t always properly or fully reflect what they are trying to describe – some argue that cross-site scripting should be named something more representative such as JavaScript injection. Be that as it may, everyone refers to it as XSS and using another name would only cause confusion.

The same applies for Blind XSS and Delayed XSS. One of the first popular talks about the subject was at DEFCON 20 by Adam Baldwin. During his talk, Baldwin specifically mentions the following about Blind XSS.

It’s not like Blind SQLi where you get immediate feedback.

While it could be argued that Delayed XSS is technically a better name for what Acunetix AcuMonitor and Sleepy Puppy attempt to find, for all intents and purposes, Delayed XSS is nothing new – it’s Blind XSS with a different name.